[1200] in WWW Security List Archive
source code security
daemon@ATHENA.MIT.EDU (Steve)
Fri Dec 1 17:29:30 1995
From: Steve <steve@mordred.gatech.edu>
To: www-security@ns2.rutgers.edu
Date: Fri, 1 Dec 1995 13:33:14 -0500 (EST)
Errors-To: owner-www-security@ns2.rutgers.edu
Hello,
I'm curious to know if there is any way for anyone to look at the source code
for cgi-scripts if the code lies in a /cgi-bin directory. Typically I try to
develop in a directory "unknown" to the server, then move the binary into the
appropriate location; is this unnecessary? For example, accessing the URL
http://server.machine/cgi-bin/
will not give an index listing of all files in the directory. I was informed,
however, that if (assuming you're using NCSA's httpd) you define DocumentRoot
to be, say, /docdir, then define something like
ScriptAlias /schmoe/cgi-bin /docdir/cgi-bin/schmoe
(defining a "cgi-aware" directory under the DocumentRoot hierarchy) you leave
yourself open to snoopers who can access the URL
http://server.machine/schmoe/cgi-bin
and get a listing of the directory's contents (assuming indexing is on). From
that point they can click on, say, the source code for "mymailer.c" and see
where you made the mistake of using, oh, popen() and attack your server.
I have yet to see this work, but still, I am curious to know if this is a
legitimate concern. People should probably develop in another directory
anyway ...
Any input is appreciated,
steve
_____________________________________________________________________________
Can't think of anything right now, other than the traditional e-mail address:
steve@mordred.gatech.edu
